A digital illustration of a crowd of people wearing masks due to the coronavirus pandemic.

Tech companies are developing new contact-tracing apps, sharing people's location information with health researchers, and taking other steps to put consumer data to work in the fight against the coronavirus pandemic. Now, lawmakers are writing laws to ensure the increased surveillance doesn’t also end up hurting consumers.

Over the past two weeks, legislators in the House and Senate proposed competing privacy bills that would establish safeguards.

The bills differ in some big ways, but both include rules mandating transparency and consent, and controlling the use of data for purposes other than public health. The first, the COVID-19 Consumer Data Protection Act, was introduced by Senate Republicans last week. Democrats introduced a counterproposal today, the Public Health Emergency Privacy Act. 

More on Privacy and the Coronavirus

Tech companies are taking a variety of approaches to collecting and sharing consumer data in the wake of the pandemic.

A Facebook survey conducted by researchers at Carnegie Mellon University is tracking symptoms to look for new hot spots around the country. Ancestry and 23andMe are using their collections of DNA data to search for genetic clues that might predict how severely a patient will react to a coronavirus infection. Apple and Google joined forces to build a contact tracing technology that uses Bluetooth signals from cell phones to identify and notify people who have been exposed to someone infected with the coronavirus. And businesses from location data brokers to smart thermometer companies are repurposing other kinds of data for public health research.

Public health experts have mixed opinions on whether the efforts will provide useful tools for containing the pandemic. But even tools that do help can also introduce serious privacy concerns.

“It’s all very well intentioned, but there is a huge risk here that there could be some really pernicious discrimination, especially when you think about how this virus is disproportionately affecting African Americans, Hispanics, older Americans, and other marginalized communities,” says David Brody, counsel and senior fellow for privacy and technology at the Lawyers’ Committee for Civil Rights Under Law, an advocacy group that endorsed the Democrats' Public Health Emergency Privacy Act.

For instance, Brody says, if scientists develop a test for coronavirus immunity, consumers could be forced to disclose their status using an app before entering a store or a place of worship. Such data also could be used in hiring decisions or the pricing of life insurance.

Information collected for coronavirus research could be repurposed for targeted ads, or to jack-up online prices for masks or other products for households where someone has been infected. Advocates worry that coronavirus data could even be used for voter suppression in the November election if states required voters to download a contact tracing app before heading to the polls.

Those are realistic scenarios because there’s no comprehensive privacy law in the U.S. “It's really difficult to regulate this activity. Right now, if this bill doesn't get passed, we're in the Wild West,” Brody says.

The existing medical data law is HIPAA, the Health Insurance Portability and Accountability Act, but it protects the privacy of health data only when it’s in the hands of healthcare providers such as doctors and insurance companies. If a tech company learns you have COVID-19, there are essentially no limits on what it can do with that information.

“This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse,” said Sen. Roger Wicker, R-Miss., the lead sponsor of COVID-19 Consumer Data Protection Act, in a press release.

How the Two Bills Differ

The bills have a lot in common. The COVID-19 Consumer Data Protection Act was sponsored by Sen. Wicker and four other Republicans, while the Public Health Emergency Privacy Act was sponsored by Sens. Richard Blumenthal, D-Conn., and Mark Warner, D-Va., and six Democrats in the House of Representatives.

Both bills require that companies explain to consumers how their data would be used and who it will be shared with, then get consent to collect it. Both prohibit companies from reusing any of that data for other purposes, such as building advertising profiles of individuals, and both say companies have to delete any information that could identify consumers once the pandemic is over.

“These proposals offer meaningful protections that are stronger than the language in most privacy laws. That's a big deal,” says Justin Brookman, the director of privacy and technology policy at Consumer Reports. However, he says, the Democrats' bill provides consumers with stronger protections. Consumer Reports has endorsed PHEPA.

For one thing, PHEPA prevents the government from misusing data collected during the public health crisis. The Republican bill applies only to private companies. 

“The most glaring shortcoming in Senator Wicker’s proposal is the lack of any limits on law enforcement and government access to data,” says Christine Bannan, policy counsel at New America's Open Technology Institute, a think tank focused on technology and communication that also endorsed PHEPA. “In contrast, PHEPA only permits the data to be used for public health purposes.”

Another difference is that PHEPA has stipulations to prevent discrimination. The authors want to allow for some reasonable discretion—if a reputable contact tracing app says you’ve been exposed, perhaps it’s fair to ban you from an assisted living facility—while preventing other forms of discrimination, such rejecting an application to rent a house.

“PHEPA prohibits the data from being used to infringe upon the right to vote and to deny access to employment, finance, credit, insurance, housing, or educational opportunities,” Bannan says.

There are a few other major differences between the bills. For one, the Republican bill would invalidate state privacy laws; PHEPA would let those laws stand.

Many privacy advocates also favor PHEPA because it allows for a “privacy right of action,” meaning consumers would be allowed to sue companies for breaking the law. Without a private right of action, consumers wouldn't have a standing to bring a lawsuit even if their rights are violated. Enforcement would be left up to regulators such as the Federal Trade Commission, which lack the resources to go after many privacy violations even when the country isn't in the middle of a crisis.  

Others argue those same provisions actually weaken the Democratic proposal.

The threat of lawsuits stemming from PHEPA would “create even more liability during this pandemic and will discourage necessary innovation,” says Carl Szabo, the vice president and general counsel of NetChoice, a trade group whose members include Facebook and Google.

Allowing states to enforce their own privacy legislation could discourage companies from participating as well, Szabo says. They might be put off by the prospect of complying with a patchwork of state laws instead of a single national framework. “You're essentially upending a Good Samaritan approach to helping others by introducing a risk to companies’ bottom line,” Szabo says. 

Some experts say there’s a decent chance that one of the bills will pass. "Congress wants to be seen as doing something COVID-related, and there's bipartisan support," says Brookman, who advised Senators on the language in PHEPA, and frequently consults with legislators about how bills should address privacy concerns.

“We have to move forward in a smart way so that the sacrifices we might have to make on the privacy side are not so great that they overshadow the benefits of what we're trying to do by leveraging this data,” says Rachele Hendricks-Sturrup, health policy counsel at the Future of Privacy Forum, a technology policy advocacy group.

“That is really important to establish trust among the public and among the users of this technology,” she says.